RSSMicrosoft Thanks Google for IE Fix
By Nate Mook | Published December 8, 2005, 12:30 PM
Google this week rolled out a fix to mitigate the risk from a newly discovered vulnerability in Internet Explorer that puts users of Google Desktop at risk even if they are running a fully updated system. Microsoft developers thanked Google for their work and say they are working on a patch for IE.
Uncovered by Israeli hacker Matan Gillon, the security hole involves a problem with the way IE imports cascading style sheets (CSS) from other Web sites, a technique referred to as cross site scripting (XSS). IE will import any type of file with a bracket, regardless of whether or not it's valid CSS.
By combining the flaw with Google's Desktop Search, a malicious Web site could read personal data off a visitor's machine.
"Our investigation indicates that this issue will have limited impact because an effective attack requires a website to expose sensitive information in a specific way. Basically, an attacker would need to find a way to make a response look like a Cascading Style Sheet, and that response would need to contain sensitive information," explained Microsoft security researcher Michael Howard.
Gillon supplied proof of concept code using Google News to highlight the potential risk. "A complete exploit can also iterate through the result pages to get more data and log the results on a remote server," he said. But Google has now closed that hole.
"Google has done a good thing for the protection of our mutual customers by mitigating the issue on their servers. We think that is great," added Howard.
"The underlying cross-site issue still exists within IE and I want to reassure you that we are investigating the root cause of this issue. Once the investigation is complete we'll take appropriate action for our customers which may include fixing this in a future security update for IE."
As I have said in the past... these extra tool bars are really worthless. Bookmark the search sites that you use most - simple as that. Why do you need to be running Google Desktop or Yahoo search bar in the first place? So that someone can better track your where abouts or what you are searching for so that they can better send you more specific Spam? Do not use these worthless tools if you even want to refer to them as tools... And if it's the RSS Feeds that you are looking to use there are tons of Good programs out there for that.
Score: 0
|There are two programs that are involved here not only MS. Google did not fix anything for Microsoft, and I fail to see how this problem is really one belonging to them(MS). You need to have Google Desktop installed and the code could read personal data. Could it be a problem with Google then, not MS. Yet everyone takes the potshot at MS. The way in which the story reads, is that the two must be present in order to be exploited. Am I wrong?
More importantly, is that problem has been fixed with regard to Desktop Search(by its developers) and MS will plug a hole that really wasn't a hole to begin with, and not being used.
Sounds very harmless at this point and no real basis for attacks on MS, who is by the way working on fixing this problem. Not really a priority at this time.
IMO
Score: 0
|Are you people 13? Everyone has bugs and holes. Had Google Desktop not had a hole in the first place then this would not have been brought to light.
I find it funny that you people are praising Google for their work while blasting MS. Both have holes. Google was able to band-aid a minor app. MS can't rush a band-aid out the door because they have to worry about backwards compatability and all the other subsystems which IE touches. IF they would slap a patch on it without regression testing then they would meet your requirement for a quick patch, but I'm sure it would have a negative impact somewhere else. I'm sure MS will opt to go safe vs please some lonely teenagers on a message board.
Score: 0
|Well said!
Score: 0
|Frank, did you read anything about this exploit? It's a flaw in Internet Explorer and Google's software (collecting information for search purposes) just allows people to abuse it. Google temporarily patched the problem until Microsoft releases a patch for IE (which we all know takes forever). Why don't you do a bit of research before blasting a bunch of people for something that's not true. I'm inclined to believe you didnt' even read the entire article.
Score: 0
|"The underlying cross-site issue still exists within IE and I want to reassure you that we are investigating the root cause of this issue. Once the investigation is complete we'll take appropriate action for our customers which may include fixing this in a future security update for IE."
Roughly translated, "You're screwed until IE 7, but that shouldn't suprise you."
Score: 0
|I just find it funny that Google fixed M$'s problem before M$ fixed it.
Score: 0
|That's the difference between quite well written code and unmaintainable code. ;)
Score: 0
|Kramy here you go again. You tell us from a Canadian point of view!
Score: 0
|That's because it was never M$ problem in the first place... it was a Google problem that Google created. I find it funny how you could say it's a M$ problem in the first place.
If I build a car and it works great than you install some device that was built by some other manufacturer and the car does not work properly afterwards is it a problem that I built into the car or was it a poor design by the manufacturer of the device that you installed...?
Score: 0
|You're wrong. It's Microsoft's problem, they admitted it, they thanked Google. Not only that, but the problem was around before anyone thought of using Google Desktop, and proof-of-concept code was floating around on the Internet. Stop bashing google.
Score: 0
|Google is the Devil!
Score: 0
|So the Devil is fixing Cthulu's Code now?
Heh..Google: QA for Microsoft.
Gotta love it.
Score: 0
|So since MS is thanking them, would MS be the Devil's Advocate? ;)
Score: 0
|not reading css right? thats the same thing as not supporting standards right, right?
lala
Score: 0
|no it is not.
Score: 0
|"Thanks, Google, for giving us more time to fix our security issue!"
Score: 0
|Google is still evil...They just want M$ to stop competing with them lol
Score: 0
|hmm....dont know if its evil, but it is big. or is evil just becoming another word for big these days.
Score: 0
|Does that mean that I have *really* Evil feet?
And Texas is the most Evil state in the USA?
Which is more Evil, the Pacific or Atlantic Ocean?
And the more I eat, the more Evil I become, right? (So long as I don't exercise...)
Score: 0
|Yeah, pretty much. :p
Evil heathen!
Score: 0
|I think you mean Alaska is the most evil state.
http://resourcescommitte...es/anwrpic/alaskaus.jpg
Score: 0
|You know what they say about guys with evil feet, right?
Score: 0
|lmao...
Score: 0
|But only slightly more Evil than Texas...
Score: 0
|Pacific is more evil. But Texas??? Alaska is the most Evil state. Get your facts straight :)
Score: 0
|As mentioned below, but thanks.
:)
Just a little earlier and you'd have had it. :P
Score: 0
|ROFL
Score: 0
|